Skip to main content
SpringerLink
Log in
Book cover

International Conference on Distributed Computing and Internet Technology

ICDCIT 2011: Distributed Computing and Internet Technology pp 15–34Cite as

Protecting Critical Infrastructures While Preserving Each Organization’s Autonomy

  • Conference paper

  • 617 Accesses

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 6536))

Abstract

In critical infrastructures (CIs), different organizations must cooperate, while being mutually suspicious since they have different interests and can be in competition on some markets. Moreover, in most cases, there is no recognized authority that can impose global security rules to all participating organizations. In such a context, it is difficult to apply good security practices to the interconnected information systems that control the critical infrastructure. In this paper, we present the PolyOrBAC security framework, aimed at securing global infrastructures while preserving each participating organization’s autonomy. In this framework, each organization is able to protect its assets by defining its own security policy and enforcing it by its own security mechanisms, and the global infrastructure is protected by controlling and auditing all interactions between participating organizations. PolyOrBAC helps to satisfy the CII security requirements related to secure cooperation, autonomy and confidentiality, monitoring and audit, and scalability.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Abou El Kalam, A., El Baida, R., Balbiani, P., Benferhat, S., Cuppens, F., Deswarte, Y., Miege, A., Saurel, C., Trouessin, G.: Organization Based Access Control. In: Proc. of IEEE 4th Intl Workshop on Policies for Distributed Systems and Networks (POLICY 2003), Lake Come, Italy, June 14-16, pp. 120–131 (2003)

    Google Scholar 

  2. Abou El Kalam, A., Deswarte, Y.: Multi-OrBAC: a New Access Control Model for Distributed, Heterogeneous and Collaborative Systems. In: IEEE Symp. on Systems and Information Security (SSI 2006), Sao Paulo, Brazil (2006)

    Google Scholar 

  3. Abou El Kalam, A., Deswarte, Y., Baïna, A., Kaâniche, M.: Access Control for Collaborative Systems: A Web Services Based Approach. In: IEEE Intl Conf. on Web Services (ICWS 2007), Salt Lake City, Utah, USA, July 9-13, pp. 1064–1071 (2007)

    Google Scholar 

  4. Abou El Kalam, A., Deswarte, Y.: Critical Infrastructures Security Modeling, Enforcement and Runtime Checking. In: Setola, R., Geretshuber, S. (eds.) CRITIS 2008. LNCS, vol. 5508, pp. 95–108. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  5. Abou El Kalam, A., Deswarte, Y., Baïna, A., Kaâniche, M.: PolyOrBAC: A Security Framework for Critical Infrastructures. International Journal of Critical Infrastructure Protection (IJCIP) 2, 154–169 (2009)

    Article  Google Scholar 

  6. Adam, N.R., Atluri, V., Huang, W.-K.: Modeling and Analysis of Workflows Using Petri Nets. Journal of Intelligent Information Systems, Special Issue on Workflow and Process Management 2(2), 131–158 (1998)

    Article  Google Scholar 

  7. Alur, R., Dill, D.L.: A Theory of Timed Automata. Theoretical Computer Science 126(2), 183–235 (1994)

    Article  MathSciNet  MATH  Google Scholar 

  8. Amin, M.: North America’s Electricity Infrastructure: Are We Ready for More Perfect Storms? IEEE Security and Privacy 1(5), 19–25 (2003)

    Article  Google Scholar 

  9. Baïna, A.: Modèles et politiques de sécurité pour la protection des infrastructures critiques, Doctorate Thesis, Université de Toulouse, LAAS-CNRS (September 29, 2009) (in French)

    Google Scholar 

  10. Beitollahi, H., Deconinck, G.: An Overlay Protection Layer Against Denial-of-Service Attacks. In: 22nd IEEE Intl Parallel and Distributed Processing Symposium (IPDPS 2008), Miami, Florida, May 14-18, pp. 1–8 (2008)

    Google Scholar 

  11. Berard, B., Bidiot, M., Finkel, A., Laroussinie, F., Petit, A., Petrucci, L., Schnoebelen, P., McKenzie, P.: Systems and Software Verification, Model Checking Techniques and Tools. Springer, Heidelberg (2001) ISBN 3-540-41523-7

    Book  MATH  Google Scholar 

  12. Bertino, E., Ferrari, E., Alturi, V.: The Specification and Enforcement of Authorization Constraints in Workflow Management Systems. ACM Transactions on Information and System Security (TISSEC) 2(1), 65–104 (1999)

    Article  Google Scholar 

  13. Bertino, E., Jajodia, S., Samarati, P.: Flexible Support for Multiple Access Control Policies. ACM Transaction on Database Systems (TODS) 26(2), 214–260 (2001)

    Article  MATH  Google Scholar 

  14. Bettini, C., Jajodia, S., Wang, X.S., Wijesekera, D.: Obligation Monitoring in Policy Management. In: Proc. of IEEE 3rd Intl Workshop on Policies for Distributed Systems and Networks (POLICY 2002), Monterey, CA, June 5-7, pp. 2–12 (2002)

    Google Scholar 

  15. Beznosov, K., Deng, Y.: A Framework for Implementing Role-Based Access Control Using CORBA Security Service. In: 4th ACM Workshop on Role-Based Access Control, Fairfax, VA, USA, October 28-29, pp. 19–30 (1999)

    Google Scholar 

  16. Cuppens, F., Cuppens-Boulahia, N., Coma, C.: O2O: Virtual Private Organizations to Manage Security Policy Interoperability. In: Bagchi, A., Atluri, V. (eds.) ICISS 2006. LNCS, vol. 4332, pp. 101–115. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  17. Damianou, N., Dulay, N., Lupu, E.: The Ponder Policy Specification Language. In: Sloman, M., Lobo, J., Lupu, E.C. (eds.) POLICY 2001. LNCS, vol. 1995, pp. 18–38. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  18. Feng, X., Guoyuan, L., Xuzhou, X.: Role-based Access Control System for Web Services. In: 4th International Conference on Computer and Information Technology (CIT 2004), Wuhan, China, September 14-16, pp. 357–362 (2004)

    Google Scholar 

  19. Ferraiolo, D., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed NIST Standard for Role-Based Access Control. ACM Transactions on Information and System Security (TISSEC) 4(3), 224–274 (2001)

    Article  Google Scholar 

  20. Garrone, F., Brasca, C., Cerotti, D., Codetta Raiteri, D., Daidone, A., Deconinck, G., Donatelli, S., Dondossola, G., Grandoni, F., Kaaniche, M., Rigole, T.: Analysis of new control applications. CRUTIAL project, Deliverable D2 (January 2007)

    Google Scholar 

  21. Hilt, D.W.: August 14, 2003, Northeast Blackout Impacts and Actions and the Energy Policy Act of 2005. In: North American Electric Reliability Council (NERC), Presentation at ISPE Annual Conference (August 2, 2006), http://www.nerc.com/filez/blackout.html

  22. Hilty, M., Pretschner, A., Basin, D., Schaefer, C., Walter, T.: A Policy Language for Distributed Usage Control. In: Biskup, J., López, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 531–546. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  23. Laprie, J.C., Kanoun, K., Kaâniche, M.: Modelling Interdependencies Between the Electricity and Information Infrastructures. In: Saglietti, F., Oster, N. (eds.) SAFECOMP 2007. LNCS, vol. 4680, pp. 57–67. Springer, Heidelberg (2007)

    Google Scholar 

  24. Leune, K., van den Heuvel, W.-J.: A Methodology for Developing Role-Based Access/Control to Web-Services. Tilburg University, Infolab Technical Report Series, no. 11 (December 2002)

    Google Scholar 

  25. Lin, D., Rao, P., Bertino, E., Li, N., Lobo, J.: Policy Decomposition for Collaborative Access Control. In: 13th ACM Symposium on Access Control Models and Technologies (SACMAT 2008), Estes Park, CO, USA, pp. 103–112 (2008)

    Google Scholar 

  26. Lorch, M., Proctor, S., Lepro, R., Kafura, D., Shah, S.: First Experiences Using XACML for Access Control in Distributed Systems. In: 2003 ACM Workshop on XML Security, Fairfax, VA, pp. 25–37 (2003)

    Google Scholar 

  27. Ni, Q., Bertino, E., Lobo, J.: An Obligation model bridging access control policies and privacy policies. In: 13th ACM SACMAT, Estes Park, CO, USA, June 11-13 (2008)

    Google Scholar 

  28. OASIS, Universal Description, Discovery and Integration v3.0.2 (UDDI), UDDI Specification TC, OASIS Standard (February 2005)

    Google Scholar 

  29. OASIS, Web Services Security: SOAP Message Security 1.1 (WS-Security 2004), OASIS Standard Specification (February 1, 2006)

    Google Scholar 

  30. OASIS, eXtensible Access Control Markup Language (XACML) Version 2.0, OASIS Standard (February 1, 2005)

    Google Scholar 

  31. OASIS, XML Catalogs, OASIS Standard V1.1 (October 7, 2005)

    Google Scholar 

  32. Pearlman, L., Welch, V., Foster, I., Kesselman, C., Tuecke, S.: A Community Authorization Service for Group Collaboration. In: Proc. of IEEE 3rd Intl Workshop on Policies for Distributed Systems and Networks (POLICY 2002), Monterey, CA, June 5-7, pp. 50–59 (2002)

    Google Scholar 

  33. Rinaldi, S.M., Peerenboom, J.P., Kelly, T.K.: Identifying, understanding, and analyzing critical infrastructure interdependencies. IEEE Control Systems Magazine 21(6), 11–25 (2001)

    Article  Google Scholar 

  34. Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-Based Access Control Models. IEEE Computer 29(2), 38–47 (1996)

    Article  Google Scholar 

  35. Shehab, M., Bertino, E., Ghafoor, A.: Secure Collaboration in Mediator-Free Environments. In: 12th ACM Conference on Computer and Communications Security (CCS 2005), Alexandria, VA, pp. 58–67 (2005)

    Google Scholar 

  36. Sturm, C., Dittrich, K.R., Ziegler, P.: An access control mechanism for P2P collaborations. In: Proceedings of the 2008 International Workshop on Data Management in Peer-to-peer Systems (DaMaP 2008), Nantes, France, March 25, pp. 51–58 (2008)

    Google Scholar 

  37. UPPAAL tool available at, http://www.uppaal.com

  38. Verissimo, P., Neves, N.F., Correia, M., Deswarte, Y., Abou El Kalam, A., Bondavalli, A., Daidone, A.: The CRUTIAL Architecture for Critical Information Infrastructures. In: de Lemos, R., Di Giandomenico, F., Gacek, C., Muccini, H., Vieira, M. (eds.) Architecting Dependable Systems V. LNCS, vol. 5135, pp. 1–27. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  39. Vuong, N., Smith, G.S., Deng, Y.: Managing Security Policies in a Distributed Environment Using eXtensible Markup Language (XML). In: 2001 ACM Symposium on Applied Computing (SAC 2001), Las Vegas, NV, pp. 405–411 (2001)

    Google Scholar 

  40. W3C, SOAP Specifications, W3C Recommendation, 2nd edn. (April 27, 2007)

    Google Scholar 

  41. W3C, Web Services Description Language (WSDL) 1.1, W3C Note (March 15, 2001)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. CNRS, LAAS, 7 avenue du Colonel Roche, F-31077, Toulouse, France

    Yves Deswarte

  2. Université de Toulouse, UPS, INSA, INP, ISAE, LAAS, F-31077, Toulouse, France

    Yves Deswarte

Authors
  1. Yves Deswarte
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Tata Institute of Fundamental Research, School of Technology & Computer Science, Homi Bhabha Road, Colaba, 400005, Mumbai, India

    Raja Natarajan

  2. International Institute of Software Technology, Center for Electronic Governance, United Nations University, P.O. Box 3058, Macao

    Adegboyega Ojo

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Deswarte, Y. (2011). Protecting Critical Infrastructures While Preserving Each Organization’s Autonomy. In: Natarajan, R., Ojo, A. (eds) Distributed Computing and Internet Technology. ICDCIT 2011. Lecture Notes in Computer Science, vol 6536. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-19056-8_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-19056-8_2

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-19055-1

  • Online ISBN: 978-3-642-19056-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation